Restrictive blinding of secret-key certificates

Many signature transporting mechanisms require a signer to issue triples, consisting of a secret key, a matching public key, and a certificate of the signer on the public key. Of particular interest are so-called restrictive blind signature issuing protocols, in which the receiver can blind the issued public key and the certificate but not a certain predicate of the secret key. This paper describes the first generally applicable technique for designing efficient such issuing protocols, based on the recently introduced notion of secret-key certificates. The resulting three-move issuing protocols require the receiver to perform merely a single on-line multiplication, and the property of restrictive blinding can be proved with respect to a plausible intractability assumption. Application of the new issuing protocols results in the most efficient and versatile off-line electronic cash systems known to date, without using the blind signature technique developed by Chaum.